'Last-minute' presentations
14:40 - 15:00 Dmitry Gryaznov McAfee
15:00 - 15:20 Sergei Shevchenko PC Tools
Technical stream: Thursday 20 September 2007, 14:00 - 14:40.
14:40 - 15:00 Dmitry Gryaznov. Terminating hidden processes
The presentation will discuss the challenges associated with terminating hidden processes. It is composed
of three parts:
Part I: is a technical background that covers:
-
The Windows kernel Active process list
- How process enumeration works on Windows
- The Windows system or kernel process
- How process deletion works on Windows
Part II: discuss the rootkits challenge:
- How rootkits make their processes orphan and hidden
- How to detect hidden process
- The challenge of terminating hidden orphan processes
- The solution
- Suggestions to Microsoft
- Conclusions
Part III: is a live demo on the kernel debugger showing all of the things discussed in the presentation.
15:00 - 15:20 Sergei Shevchenko. A 'sting operation' to fool suspected threats
Threats can end up on a computer from numerous sources, via email, using chat programs such as Messenger or
IRC programs, or by browsing sites containing malware on the Internet.
When new suspected threat files are identified, system administrators can send these files to an Internet security
company, such as an anti-virus or anti-malware vendor, for analysis. These companies investigate the threats and
some time later, possibly ranging from a few up to 48 hours later, depending on the complexity of the threat,
provide updated database definitions to remove them. In some circumstances, if the threat warrants additional
research, a detailed description of it is subsequently posted on the Internet.
Nevertheless, the downtime between identifying the relevant threat files and receiving a database update to
remove the infection can result in severe financial losses to an organization.
This is where Threat Expert steps in. Threat Expert takes a threat file, places it in a self-contained environment,
deliberately executes the threat in this environment and then monitors its behaviour. A combination of file system,
Windows Registry, network traffic, memory snapshots are then recorded, in addition to a series of specific 'hooks'
that intercept communication routes typically exploited by threat infections.
These hooks 'deceive' the threat into communicating across a simulated network, whereas the threat's communication
actions are actually being recorded in detail by Threat Expert. Using this invaluable recorded data, a detailed
report is generated, consisting of system changes, memory and traffic dump analyses, and other important system
activities caused by the threat.
This presentation is a practical guide to the advantages of using an advanced automated threat analysis system in
the current climate of zero-hour threats to effectively reduce the time taken between first detection and
solution/signature.
The presentation covers the following topics:
- Snapshotting the system: file system, Windows Registry, running processes/services, loaded modules, allocated memory pages, open ports
- Proactive memory scanner: how to catch a threat process in memory once it is fully unpacked
- 'Talk to me, baby' - implementation of the 'fake' servers such as DCOM RPC, IRC, HTTP, DNS/SMTP
- 100% bullet-proof rootkit detection: catching Mailbot/Rustock and Storm/Zhelatin rootkits
- API monitor/interceptor: reporting various threat behaviour
- Kernel mode driver: detecting SSDT/IRP-hooks
- 'Goat on a leash': a practical implementation of the automated threat analysis system with a physical hardware - No Virtual Machines, No Sandboxes. 'Goat on a leash' defeats Themida protection and successfully analyses threats that employ various detection methods and/or attack vectors against VM
